[ale] Can stunnel be used in front of a small http server?

Christopher Fowler cfowler at outpostsentinel.com
Wed May 3 13:23:40 EDT 2006 

On Wed, 2006-05-03 at 13:09 -0400, Jim wrote:
> I don't think the limitation will hurt.  There are only a few hosts that 
> will be allowed to commincate with this system and I can use the 
> firewall to limit that. 
> 
> So what does the configuration look like?

Really simple

[root at merc01]# cat /etc/stunnel.conf 
cert =  /etc/stunnel.pem
pid = /var/run/stunnel.pid
setuid = root
setgid = root
TIMEOUTclose = 0
[https]
accept = https
connect = 127.0.0.1:http

And then thttpd does not have any config file.
All options are on command line



/sbin/httpd -d /usr/www -l/dev/null -p 80 -c/cgi-bin/* -
i /var/run/httpd.pid

That is it.  I wrote the xml-rpc engine on the device in C.

XML-RPC does not have any auth spec so I had to make one up.  I force
the client to go to /cgi-bin/web.login and do a POST of the login form.
This auths them and gives them a valid cookie.  That cookie is then used
by the LWP or any other web client when gaining access to /cgi-
bin/web.xmlrpc.  So if there is no cookie when the client tries to call
a xml-rpc method then they get a 302 redirect to the login page.  Works
great.
 
In the example I sent to the list I was using the Perl Frontier client.
I did modify that client to accept a LWP object as an argument to new()
so that I could pass a LWP object that had a valid cookie.


----------------------------------------------------------------------
#!/usr/bin/perl

use Frontier::Client;
use HTTP::Request;
use LWP::UserAgent;
use MIME::Base64;
use strict;


die "version.pl <ENS address>\n" unless $ARGV[0];
my $ENS = $ARGV[0];

my $ua = LWP::UserAgent->new();
$ua->cookie_jar({ file => "$ENV{HOME}/.cookies.txt" });
my $response = $ua->post("http://$ENS/cgi-bin/web.login",
        { 'f_login' => "root", 'f_password' => "password" });

my $server = Frontier::Client->new( debug => 1, url => "http://$ENS/cgi-
bin/web.xmlrpc",ua => $ua );
my $result = $server->call('version', (""));
print "$result\n";
----------------------------------------------------------------------

> 
> Thanks,
> Jim.
> Christopher Fowler wrote:
> 
> >On Wed, 2006-05-03 at 10:28 -0400, Jim wrote:
> >  
> >
> >>I'm trying to avoid installing a full blown apache server but I need a 
> >>xmlrpc server running secure (ssl).  I was thinking about one of the 
> >>small http servers with stunnel.
> >>    
> >>
> >
> >You need to contact me directly.  I have this setup working great.
> >
> >1.  thttpd
> >2.  stunnel
> >3.  xml-rpc available via ether 80 or 443
> >
> >Example of getting software version info from device:
> >
> >---- request ----
> ><?xml version="1.0"?>
> ><methodCall>
> ><methodName>version</methodName>
> ><params>
> ><param><value><string></string></value></param>
> ></params>
> ></methodCall>
> >---- response ----
> ><?xml version="1.0"?>
> ><methodResponse>
> ><params>
> ><param>
> ><value><string>Version: 1.0.0 Development, Build:
> >050106-090415</string></value>
> ></param>
> ></params>
> ></methodResponse>
> >Version: 1.0.0 Development, Build: 050106-090415
> >
> >Now the only problem is that thttpd sees all 443 connections as coming
> >from 127.0.0.1.  If that is okay then your in great shape to implement.
> >  
> >
> >>Has anyone heard of that?  Is it concievable?
> >>
> >>Thanks,
> >>Jim.
> >>_______________________________________________
> >>Ale mailing list
> >>Ale at ale.org
> >>http://www.ale.org/mailman/listinfo/ale
> >>    
> >>
> >
> >_______________________________________________
> >Ale mailing list
> >Ale at ale.org
> >http://www.ale.org/mailman/listinfo/ale
> >
> >
> >
> >  
> >

More information about the Ale mailing list